{
 "cells": [
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "# T1046 - Network Service Scanning",
    "\n",
    "Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation. Methods to acquire this information include port scans and vulnerability scans using tools that are brought onto a system. \n\nWithin cloud environments, adversaries may attempt to discover services running on other cloud hosts. Additionally, if the cloud environment is connected to a on-premises environment, adversaries may be able to identify services running on non-cloud systems as well."
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "## Atomic Tests"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "#Import the Module before running the tests.\n# Checkout Jupyter Notebook at https://github.com/haresudhan/TheAtomicPlaybook to run PS scripts.\nImport-Module /Users/0x6c/AtomicRedTeam/atomics/invoke-atomicredteam/Invoke-AtomicRedTeam.psd1 - Force"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Atomic Test #1 - Port Scan\nScan ports to check for listening ports.\n\nUpon successful execution, sh will perform a network connection against a single host (192.168.1.1) and determine what ports are open in the range of 1-65535. Results will be via stdout.\n\n**Supported Platforms:** linux, macos\n#### Attack Commands: Run with `sh`\n```sh\nfor port in {1..65535};\ndo\n  echo >/dev/tcp/192.168.1.1/$port && echo \"port $port is open\" || echo \"port $port is closed\" : ;\ndone\n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1046 -TestNumbers 1"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Atomic Test #2 - Port Scan Nmap\nScan ports to check for listening ports with Nmap.\n\nUpon successful execution, sh will utilize nmap, telnet, and nc to contact a single or range of adresseses on port 80 to determine if listening. Results will be via stdout.\n\n**Supported Platforms:** linux, macos\n#### Dependencies:  Run with `sh`!\n##### Description: Check if nmap command exists on the machine\n\n##### Check Prereq Commands:\n```sh\nif [ -x \"$(command -v nmap)\" ]; then exit 0; else exit 1; fi;\n\n```\n##### Get Prereq Commands:\n```sh\necho \"Install nmap on the machine to run the test.\"; exit 1;\n\n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1046 -TestNumbers 2 -GetPreReqs"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "#### Attack Commands: Run with `sh`\n```sh\nnmap -sS 192.168.1.0/24 -p 80\ntelnet 192.168.1.1 80\nnc -nv 192.168.1.1 80\n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1046 -TestNumbers 2"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Atomic Test #3 - Port Scan NMap for Windows\nScan ports to check for listening ports for the local host 127.0.0.1\n**Supported Platforms:** windows\nElevation Required (e.g. root or admin)\n#### Dependencies:  Run with `powershell`!\n##### Description: NMap must be installed\n\n##### Check Prereq Commands:\n```powershell\nif (cmd /c \"nmap 2>nul\") {exit 0} else {exit 1}\n```\n##### Get Prereq Commands:\n```powershell\nInvoke-WebRequest -OutFile $env:temp\\nmap-7.80-setup.exe https://nmap.org/dist/nmap-7.80-setup.exe\nStart-Process $env:temp\\nmap-7.80-setup.exe /S\n\n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1046 -TestNumbers 3 -GetPreReqs"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "#### Attack Commands: Run with `powershell`\n```powershell\nnmap 127.0.0.1```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1046 -TestNumbers 3"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "## Detection",
    "\n",
    "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\n\nNormal, benign system and network events from legitimate remote service scanning may be uncommon, depending on the environment and how they are used. Legitimate open port and vulnerability scanning may be conducted within the environment and will need to be deconflicted with any detection capabilities developed. Network intrusion detection systems can also be used to identify scanning activity. Monitor for process use of the networks and inspect intra-network flows to detect port scans."
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "## Shield Active Defense\n### Software Manipulation \n Make changes to a system's software properties and functions to achieve a desired effect. \n\n Software Manipulation allows a defender to alter or replace elements of the operating system, file system, or any other software installed and executed on a system.\n#### Opportunity\nThere is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access.\n#### Use Case\nA defender can change the output of a recon commands to hide simulation elements you don\u2019t want attacked and present simulation elements you want the adversary to engage with.\n#### Procedures\nHook the Win32 Sleep() function so that it always performs a Sleep(1) instead of the intended duration. This can increase the speed at which dynamic analysis can be performed when a normal malicious file sleeps for long periods before attempting additional capabilities.\nHook the Win32 NetUserChangePassword() and modify it such that the new password is different from the one provided. The data passed into the function is encrypted along with the modified new password, then logged so a defender can get alerted about the change as well as decrypt the new password for use.\nAlter the output of an adversary's profiling commands to make newly-built systems look like the operating system was installed months earlier.\nAlter the output of adversary recon commands to not show important assets, such as a file server containing sensitive data."
   ]
  }
 ],
 "metadata": {
  "kernelspec": {
   "display_name": ".NET (PowerShell)",
   "language": "PowerShell",
   "name": ".net-powershell"
  },
  "language_info": {
   "file_extension": ".ps1",
   "mimetype": "text/x-powershell",
   "name": "PowerShell",
   "pygments_lexer": "powershell",
   "version": "7.0"
  }
 },
 "nbformat": 4,
 "nbformat_minor": 4
}